LibJS: Make ConservativeVector<T> visit all possible values

We were miscalculating the length of the buffer in pointer-sized chunks,
which is what the conservative root scan cares about.

This could cause some values to be prematurely garbage-collected.

Libraries/LibJS/Heap/ConservativeVector.h

@@ -66,7 +66,11 @@ public:
 
     virtual ReadonlySpan<FlatPtr> possible_values() const override
     {
-        return ReadonlySpan<FlatPtr> { reinterpret_cast<FlatPtr const*>(this->data()), this->size() };
+        static_assert(sizeof(T) >= sizeof(FlatPtr));
+        return ReadonlySpan<FlatPtr> {
+            reinterpret_cast<FlatPtr const*>(this->data()),
+            this->size() * sizeof(T) / sizeof(FlatPtr),
+        };
     }
 };